In determining the location of a license server, discoverability is the most critical factor. A domain, site, or workgroup that hosts terminal servers must also host a license server. The recommended method of configuring license servers for high availability is to install at least two license servers that have available Terminal Services CALs. Each server will then advertise in Active Directory® directory service as enterprise license servers with regard to the following
LDAP: //CN=TS-Enterprise-License-Server,CN=site name,CN=sites,CN=configuration-container.
Each license server should contain 50% of the CALs that you use for load balancing. If a license server does not have valid CALs, then that license server will attempt to refer to other license servers with valid CALs for license issuance. (This applies to both enterprise license servers and domain license servers.)
The following table provides a summary of high-availability scenarios for issuing temporary and permanent licenses.
Table 1 License Issuance Matrix
-
|
License Server A - Available
|
License Server A - Down
|
License Server B - Available
|
License Server B - Down
|
License Server A and License Server B Down
|
New Client License
|
Issue temporary license for 90 days
|
Failover to License Server B
|
Issue temporary license for 90 days
|
Failover to License Server A
|
Fail to connect
|
Existing Temporary License
|
Issue permanent license for 52-89 days
|
Failover to License Server B
|
Issue permanent license for 52-89 days
|
Failover to License Server A
|
Allow connection until expired
|
Expired Temporary License
|
Issue permanent license for 52-89 days
|
Failover to License Server B
|
Issue permanent license for 52-89 days
|
Failover to License Server A
|
Fail to connect
|
Existing Permanent License
|
Allow connect—will reissue license at 7 days before expiration
|
Failover to License Server B
|
Allow connect—will reissue license at 7 days before expiration
|
Failover to License Server A
|
Allow connect—will fail when the CAL expires
|
Expired Permanent License
|
Reissue license with new expiration
|
Failover to License Server B
|
Reissue license with new expiration
|
Failover to License Server A
|
Fail to connect
|
Existing Windows 2000 License
|
Allow connection
|
Allow connection
|
Allow connection
|
Allow connection
|
Allow connection
|
Each client will begin a license request and upgrade 7 days prior to the license expiration date. This should allow sufficient time to address any issues with individual license servers. If all license servers are down at the same time, new clients or clients with expired licenses will be denied access. In addition, license servers should be separated by network subnets to ensure that a network outage does not prevent users from connecting to a license Server.
Finally, administrators should use the Terminal Server Licensing Tool to ensure that at least 10% of their CALs are available on each license server. However, if available licenses are limited to a single license server that suffers an outage, clients with expired licenses will be denied access immediately, and clients with licenses that expire within the next 7 days will be denied access on their expiration dates.
License Token Announcement
In certain cases, license servers will notify each other when license tokens are added or removed from their databases. This notification system allows license servers to redirect license token requests to other license servers when they have no license tokens to issue. Listed below are the supported configurations and topologies:
Between domain license servers in the same domain
Between enterprise license servers in the same site and domain
From enterprise license servers to domain license servers
From license servers running Windows 2000 to Windows Server 2003
Terminal server in Windows Server 2003 supports the following licensing modes:
Per Device License tokens are assigned to each device that connects to a particular terminal server
Per User License tokens are assigned to each user that connects to a particular terminal server
In order to use a combination of User, Device, and External Connector licenses on single terminal server, you should configure your server in Per User mode.
By default, a terminal server running Windows 2000 that is upgraded to Windows Server 2003 is placed in Per Device mode. However, if the terminal server running Windows 2000 is in Internet Connector mode, the server is placed in Per User mode.
Licensing Process Client License Distribution Per Device
All communication during the licensing process occurs between the client and the terminal server, and between the terminal server and the license server. The terminal server client never communicates directly with the license server.
When a client device attempts to connect to a terminal server in Per Device mode, the terminal server determines if the client has a license token. Terminal server clients store license tokens in the following location:
HKEY_LOCAL_MACHINE\Software\Microsoft\MSLicensing
If a client has no license token, the terminal server attempts to contact a license server from its list of discovered license servers. If no contact is made, the terminal server restarts the discovery process. If no license server responds, the device can not connect to the terminal server unless it is operating within the terminal server grace period.
When a license server responds, the terminal server requests a temporary token for the device because this is the first time the device has connected to a terminal server. The terminal server then pushes this temporary token to the device. After a user has provided valid credentials resulting in a successful logon, the terminal server instructs the license server to mark the issued temporary token as validated.
The next time a user attempts to connect to a terminal server in Per Device mode from this device, the terminal server requests a Windows Server 2003 TS Device CAL token for this device. If the license server has available TS Device CAL tokens, the license server removes one token from the available pool, marks it as issued to the device, logs the device name, the user name of the device, and the date issued, and then pushes this TS Device CAL token to the device.
If the license server has no TS Device CAL tokens, it will first look to any other license server in its domain, workgroup, or site. License servers maintain information about where other accessible license servers exist, and if they have license tokens. If another license server is accessible that does have inventory, the first license server will request a license token from the second license server and deliver it to the terminal server, which then passes the token to the client device. If there are no available TS Device CAL tokens, the device will continue to connect with the temporary token.
Temporary tokens allow devices to connect for 90 days, and will then expire. TS Device CALs, while representing perpetual licenses, are set to expire 52-89 days from the date they are issued. The terminal server always attempts to renew these tokens 7 days prior to their expiration. This purpose of this is to recover TS Device CAL tokens that are lost due to events such as hardware failure or operating system reinstallation.
When a terminal server is configured in Per User mode, the terminal server must be able to locate a license server after the grace period has expired. While it is possible to install TS Per User CAL tokens on a license server, there is currently no method of assigning a TS Per User CAL token to a particular user account.
Client License Distribution for External Connector
There is currently no support in Terminal Server Licensing or the Microsoft Clearinghouse for the External Connector. In order to use an External Connector license, you will need to configure your terminal server in Per User mode.
Additional Server Configuration License Server Backup
Choose the following options within Ntbackup when backing up a license server:
License server directory (by default, %systemroot%\system32\lserver)
Repair directory (by default, %systemroot%\Repair )
System state
In order to move or replace an existing license server, perform the following tasks:
Install and activate a license server on the new computer.
Install the number and type of TS CAL tokens, equal to the number and type installed on the original license server that is being replaced. You might use any of the three available connections methods available. Depending on how you purchased your TS CALs, it might be necessary to phone a Microsoft Customer Service Representative if both the Automatic and Web methods fail.
Ensure that the new license server is discoverable by your terminal servers. For example, if you previously configured your terminal servers to request tokens from the old license server, you need to modify them to request tokens from the new license server.
Uninstall or deactivate the old license server if you are replacing an active license server.
Clients that were issued tokens by the retired license server will continue to use those tokens until they expire. As tokens expire, clients will be assigned new tokens from the new license server.
|